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Script started on Sat Aug 9 15:42:00 2003 

(rootGlocalhost interrogator] # ./interrogator 

Where would you like the results stored? (/tmp/ interrogator/ ] 

Check for hidden processes? [Yl 

Check for hidden TCP port listeners? (Y] 

Check for system call patching? [Y] 

Check for hidden kernel modules? [Y] . 
Check for hidden files? (may take > 15 minutes) [N] Y / 
Running the interrogator- this may take a minute £/ 
Results are located at /cmp/ interrogator /summary 
View results now? {Y] 

-( SUMMARY ] 

NO hidden modules were found. 

NO system call table modifications were found. 
NO hidden processes were found. 

WARNING: Pile size is 60133 (should be 5388S) : /var/log/sa/sa09 

WARNING: File size is 1010871 (should be 1010003): /var/log/cron 

WARNING: File size is 597700 {should be. 597264) : /var/log/maillog 

NO hidden files were found. 

NO hidden TCP port listeners were found. 

C roots localaost interrogator] I exit 

Script done on Sat Aug 9 16:01:52 2003 

FIG. 20(a) 



{ roots localhost interrogator] t ./interrogator 

Where would you like the results stored? (/tmp/ interrogator/] 

Check for hidden processes? [Y] 

Check for hidden TCP port listeners? (Y] 

Check for system call patching? IY] 

Check for hidden kernel modules? [Y] 

Check for hidden files? (may take > 15 minutes) [N] Y L 
Running the interrogator- this may take a minute 
Results are located at /tmp /interrogator /summary 
View results now? CY] 

C SUMMARY ] 

NO h m ^ n modules were found. 

HO system call table modifications were found. 

WARNING: process id 13745 hidden or just exited (tb) 
Launch Path: / root/ code/ interrogator/ de»rojansans/ tb 
FOUND 1 Hidden process listing 

HIDDEN File found 8 /tmp /hi dame 

WARNING: File size is 62629 (should be 61381) : /var/log/sa/sa09 

WARNING: File size is 1013693 (should be 1012&16) :: /var/log/cron 

WARNING: File size is 599450 (should be 599012) : /var/log/maillog 

HXDD2N; TCP Port Listener found i port 2222 
I rootfl localhost interrogator J # exit 
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(rooteiocalhost Interrogator) # ./interrogator 

Where would you like the results stored? [/tmp/ interrogator/] 

Check "2or hidden processes? (Yl 

Check for hidden TCP port listeners? [Yl 

Check for system call patching? (Y] 

Check Cor hidden kernel modules? (Y) 

Check for hidden files? (may take > 15 minutes) (Nl Y 

Running the interrogator... this may take a minute 

Results are located at /tmp/ interrogator/ summary 

View results now? [Y] 



- ( SUMMARY } 

, WARNING suspect module found: f8aOCOOO 8000 bytes (adore) 
Image stored at / tmp /int erroga t or /adore.o 
FOUND 1 HIDDEN module loaded 

WARNING: Deviations found in the sys_call_table 
syscall (2) 
syscall (41 
syscall [5] 
syscall [6] 
syscall(18] 
syscall [371 
syscall (391 
syscall (841 
syscall (1061 
syscall (107) 
syscall (1201 
syscall (141] 
syscall (1951 
syscall (196] 
syscall (2201 

Suspect module located (0xf89da6d8 - 0xf8al2000) 
POUND 15 Modified syscall table functions 

WARNING: Found process id 836 removed from the task_queue. 
Launch Path: / roo t / code / int erroga to r / demo /trojans/ test 
WARNING: process id 13745 hidden or just exited (tb) 
Launch Path: /root/ code/ interrogator/ demo/ trojans/ tb 
FOUND 2 Bidden process listings 



FAILED 


0xf8a0f650 


fork 


FAILED 


0xf3a0£7e8 


write 


FAILED 


0xf8al0184 


open 


FAILED 


0xf8a0f898 


close 


FAILED 


0xf8a0fbe4 


oldstat 


FAILED 


0xf8a0f710 


kill 


FAILED 


0xf8a0f9a0 


mkdir 


FAILED 


0xf8a0fcd0 


oldlstat 


FAILED 


OxfSaQfdbc 


stat 


FAILED 


0xf8a0fe94 


lstac 


FAILED 


Oxf 8aOf6bO 


clone 


FAILED 


0xf8a0f368 


getdents 


FAILED 


0xf8a0ff80 


stat64 


FAILED 


0xf8al0O80 


lstat64 


FAILED 


0xf8a0f4dc 


getdents64 



HIDDEN File found: /tap/hideme 

WARNING: Pile size is 2336990 (should be 2335392): 



/var/ log/messages 



HIDDEN TCP Port 
HIDDEN. TCP Port 
HTDDT.N TCP Port 
HIDDEN TCP Port 
HIDDEN TCP Port 
HIDDEN TCP Port 



Listener 
Listener 
Listener 
Listener 
Listener 
Listener 



found: 
found: 
found: 
found: 
found: 
found: 



porn 111 
port 139 
port 2222 
port 6000 
port 32768 
port 32769 



(rootfllocalhost interrogator]* exit 
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[rootQlocalhost interrogator] » ./interrogator 
Where would you like the results stored? ( /trap/ interrogator/ ] 
Check for hidden processes? [Y] 
Check for hidden TCP port listeners? (YJ 
Check for system call patching? (Yl 
Check for hidden kernel modules? (Yl 
Check for hidden files? (may take > 15 minutes) [N] Y 
Running the interrogator... this may take a minute 
Results are located at /tmp /int erroga tor /summary 
View results now? (Yl 

[ SUMMARY ) 

WARNING suspect module found: f8al0000 184700 bytes (homegrown) 
FOUND 1 hidden module loaded 

WARNING : Deviations found in the sys_call_ table ^ 

syscall (3 J FAILED 0xf8aI1494 read 

syscall (51 FAILED 0xf8all020 open 

syscall [11] FAILED 0xf8al0ebc execve 

syscall [13] FAILED Oxf3all8aO time 

syscall (78] FAILED 0xf8all83c gettimeofday 

syscall [141] FAILED 0xf8all544 getdents 

syscall (2201 FAILED Oxf8all6cO getdents64 

Suspect module located (0xf89db6d8 - 0xf8a3f000) 

FOUND 7 Modified syscall table functions 

WARNING: process id 1584 hidden or just exited (tb) 
Launch Path: /root /code/ interrogator/demo/ trojans/tb 
FOUND 1 Hidden process listing 



.. File found: /tzsp/hidam* 

WARNING: File size is 1021523 (should be 1020648) : /var/log/cron 
WARNING: File size is 603820 (should be 603384): /var/log/maillog 

u i pd bb TCP Port Listener found: port 2222 
(roots localhost interrogator) # exit 
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